Experts: Brazen Cyberattack Against US Agencies Bears Hallmarks of Russian Cyber Tradecraft

A foreign government has struck the US Treasury and Commerce Departments, stealing data and infiltrating employees’ emails, in what experts are calling the most sweeping and technologically advanced cyberattack against the country in years.

The White House National Security Council reportedly met on Saturday to discuss the breach, and both the Department of Homeland Security and FBI have issued statements acknowledging the attacks. While news reports point to Russian intelligence agencies as the most likely culprit, the US government has not yet officially blamed Russia for the cyber espionage operation.

“The United States government is aware of these reports, and we are taking all necessary steps to identify and remedy any possible issues related to this situation,” John Ullyot, spokesman for the National Security Council, said in a statement.

News of the cyberattack was first reported by Reuters.

Cybersecurity officials say the attack began in Spring 2020 and is ongoing. In a series of statements, the Department of Homeland Security attributed the breach to “malicious actors.”

Several national security agencies and civilian contractors may also have been affected, according to reporting by The New York Times and The Wall Street Journal. However, as of this article’s publication it’s not immediately clear how far the effects of the cyberattack reach — and how much sensitive government data, or if any highly classified defense secrets, may have been stolen.

“The campaign is the work of a highly skilled actor and the operation was conducted with significant operational security,” the US-based cybersecurity firm FireEye said in a Sunday release.

Some experts say that if Moscow is indeed behind the recent attacks, then it may be part of a broader Kremlin gambit to scramble the deck, so to speak, on US foreign policy toward Russia — possibly to challenge the incoming administration of President-elect Joe Biden.

“From Washington’s perspective, this hacking is one more in a steady drumbeat of Russian malign activities, including also microwave attacks against US diplomats and the poisoning of democratic oppositionist Alexei Navalny with an internationally banned chemical weapon,” William Courtney, a former US ambassador to Kazakhstan and Georgia who is now an adjunct senior fellow at the Rand Corp., told Coffee or Die Magazine.

“These and other strains in relations with Moscow could lead to increased US sanctions on Russia,” Courtney said.

The Kremlin, for its part, denies it had anything to do with the attack.

“I reject these statements, these accusations once again,” Russian presidential spokesman Dmitry Peskov told journalists during a Monday press conference, the Russian news agency TASS reported.

“Even if it is true there have been some attacks over many months and the Americans managed to do nothing about them, possibly it is wrong to groundlessly blame Russians right away,” Peskov said. “We have nothing to do with this.”

As part of what industry experts call a “supply-chain” cyberattack, the hackers reportedly exploited a vulnerability in software created by the IT company SolarWinds Inc., which has more than 300,000 customers worldwide, including more than 400 of the US Fortune 500 companies, according to The Wall Street Journal. The hackers reportedly cloaked their attacks as updates to versions of SolarWinds’ Orion IT monitoring and management software, which were released between March 2020 and June 2020.

SolarWinds’ US government clients include the executive branch, the Secret Service, the Federal Reserve, the Department of Defense, and intelligence agencies. SolarWinds’ customers also comprise several key civilian military contractors, such as Booz Allen Hamilton, and Lockheed Martin Corp. — producer of the F-22 Raptor advanced stealth fighter jet.

In a release, SolarWinds said an “outside nation state” conducted the “narrow, extremely targeted, and manually executed attack.”

JUST RELEASED: Emergency Directive 21-01 calls on all federal civilian agencies to review their networks for indicators of compromise and disconnect or power down SolarWinds Orion products immediately. Read more: https://t.co/VFZ81W2Ow7

— Cybersecurity and Infrastructure Security Agency (@CISAgov) December 14, 2020

The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency issued a flurry of warnings Sunday night, advising organizations that use the Orion software to review their networks for compromise and to “disconnect or power down SolarWinds Orion products immediately.”

“The compromise of SolarWinds’ Orion Network Management Products poses unacceptable risks to the security of federal networks,” Brandon Wales, acting director of the Cybersecurity and Infrastructure Security Agency, said in a Sunday evening statement.

“Tonight’s directive is intended to mitigate potential compromises within federal civilian networks, and we urge all our partners—in the public and private sectors—to assess their exposure to this compromise and to secure their networks against any exploitation,” Wales said.

While US government agencies routinely face cyberthreats, this particular strike was unique in its sophistication and scope, experts say, underscoring what may be a new trend in cyber espionage: the exploitation of vulnerabilities in commercial software shared across a broad spectrum of government agencies and key businesses.

Thus, along that line of thinking, many cybersecurity experts say the recent attacks match Russia’s cyberwarfare modus operandi, which has been on display for years in places like Ukraine, the Baltics, as well as against the US and its Western allies.

“My read is that this is spy business as usual,” Richard Stiennon, chief research analyst at IT-Harvest, a US-based cybersecurity analyst firm, said. “The original compromise of SolarWinds occurred earlier this year and has been stealthily deployed widely since then. I have not seen evidence that these attacks were revealed so much as discovered. In other words, the attackers, who took extraordinary steps to avoid discovery, were found out.”

.@CISAgov encourages organizations that use SolarWinds Orion Platform software to review the following advisories for information on publicly identified nation state backed threat actor activity:https://t.co/zcAREzsbAXhttps://t.co/EvIwOsUusVhttps://t.co/fs5Cn40WAI

— US-CERT (@USCERT_gov) December 14, 2020

In September, Russian President Vladimir Putin put forward a proposal for the US and Russia to combine forces in cybersecurity operations. Most US officials disregarded the offer as a disingenuous attempt by the Kremlin to disguise its own culpability for a worldwide blitz of cyberattacks since 2014 — the year the West imposed sweeping sanctions on Russia for its invasion of Ukraine.

“We have received no reply from Washington,” the Russian Embassy to the US wrote on Facebook, regarding Putin’s Sept. 25 proposal for US-Russia cybersecurity cooperation.

This latest attack will likely spur a broader self-evaluation by the US government regarding its vulnerability to supply-chain cyberattacks. The attack also underscores how shoring up America’s cyberdefenses remains a daunting challenge, similar to that of counterterrorism in the sense that US security officials have to be more imaginative than America’s adversaries in order to successfully anticipate their next method of attack.

“On the cutting edge yes, imagination is called for. But I think the US Federal Agencies and military are still playing catch up,” said Stiennon, the cybersecurity research analyst. “Banks and defense contractors are much better at cyber defense. While the [US National Security Agency] is probably even more sophisticated than Russian cyber teams, those capabilities are not translated into our defenses.”

In 2014 and 2015 Russian intelligence agencies launched a cyberattack on US government agencies, stealing troves of sensitive information — including details about President Barack Obama’s schedule. And in May 2015, Russian hackers used malware to target a number of American and international banks, stealing some $900 million.

While Russia has not conducted a major cyberattack against the US in several years, there has been a steady stream of alleged Russian attacks against the US and its Western allies this year, underscoring, what some experts say, is a less audacious but ever-present cyberthreat from Moscow.

“The Kremlin’s cyberattacks are often a part of the Kremlin’s efforts to shape perceptions and support the Kremlin’s information operations. For example, Russia’s cyberattacks on Ukraine’s electric grid and other critical infrastructure are intended to undermine trust the Ukrainian government’s ability to provide basic services,” said Nataliya Bugayova, a national security research fellow who specializes in Russian affairs at the Institute for the Study of War, a US think tank.

“Similarly, IF the Kremlin is behind the recent wave of cyberattacks, the choice to target US government agencies and a prominent cyber security provider would align with its goal to undermine trust towards public and private sector institutions more broadly,” Bugayova told Coffee or Die Magazine in an email.

❗️Malicious activities in information space contradicts the principles of the ??foreign policy, national interests and our understanding of interstate relations.
?
Lear More:
?https://t.co/aMjlZvfjiz pic.twitter.com/xMwYlf4CqX

— Russian Embassy in USA ?? (@RusEmbUSA) December 14, 2020

In July, multiple news sites reported that Russian hackers had tried to steal COVID-19 vaccine research from Western firms. In September, Reuters reported that Russian hackers had targeted the Biden presidential campaign.

Moreover, Russia’s cyberattacks against the US generally reflect the execution of tradecraft honed on other cyber-battlefields — most notably that of Ukraine, where Russia has also been waging a low-intensity trench war for years.

“These attacks definitely are similar to others we have seen from Russian groups,” Stiennon said, referring to the recent SolarWinds cyberattacks.

Since its invasion of Ukraine in 2014, Russia has maintained a low-level cyberoffensive against its former Soviet ally, targeting banks, railroads, the mining industry, and power grid. Military communications and secure databases have also been attacked, according to Ukrainian officials. Pro-Russian hackers have also leaked stolen, sensitive information from Ukrainian government networks and the accounts of government officials.

Cyberwarfare has been a key component of Russia’s ongoing, conventional military campaign in eastern Ukraine’s embattled Donbas region. Online disinformation campaigns have helped to cloud Western media reports about Russia’s direct involvement in military operations in the Donbas, as well as in Ukraine’s Crimean territory.

Russia has also launched cyberattacks against the governments of countries across Europe, including the Netherlands, Estonia, Germany, and Bulgaria.

“It is evident that Russia has fully embraced cyber espionage as part of their overall strategy to further their global interests,” LookingGlass, a US cybersecurity firm, said in a 2015 report. Nevertheless, Russian officials resolutely deny their country’s responsibility for the recently uncovered cyberattacks.

“We declare responsibly: malicious activities in the information space contradicts the principles of the Russian foreign policy, national interests and our understanding of interstate relations,” the Russian Embassy to the US wrote on its Facebook page, adding: “Russia does not conduct offensive operations in the cyber domain.”